Search actions

Splunk software provides a set of controls that you can use to manage "in process" searches and to create reports and dashboards.

Control search job progress

After you launch a search, you can access and manage information about the search job without leaving the Search view.

After your search is running, paused, or finalized, click Job from the Search actions group.

Select an option from the list.

Edit job settings. Opens the Job Settings dialog, where you can change the read permissions for the job, extend the job lifespan, and get a URL for the job. You can use the URL to share the job with others or to add a bookmark to the job in your Web browser.

Send job to the background. Runs the job on the background. Use this option if the search job is slow to complete. This enables you to work on other activities, including running a new search job.

Inspect job. Opens the Search Job Inspector window and displays information and metrics about the search job. You can select this action while the search is running or after the search completes. For more information, see View search job properties.

Delete job. Deletes the current job, even if that job is running, paused, or has finalized. After you delete the job you can still save the search as a report.

Save the results

The Save as menu lists options for saving the results of a search as a report, dashboard panel, alert, and event type.

Report

Saves a search as a report to use the search again later. You can run the report again from the Reports page. You access the Reports page from the App bar. Read more about how to Create and edit reports in the Reporting Manual.

Dashboard Panel

Generates a dashboard panel based on your search and add it to a new or existing dashboard. To learn more, see the Dashboard overview in the Dashboards and Visualizations manual.

Alert

Defines an alert based on your search. An alert runs a report in the background (either on a schedule or in real time). When the search returns results that meet a condition you have set in the alert definition, the alert is triggered. For more information, see the Alerting Manual.

Other search actions

Between the job progress controls and search mode selector are three buttons which enable you to Share, Export, and Print the results of a search.

Click Share to share the job. When you select this, the job's lifetime is extended to 7 days and read permissions are set to Everyone. For more information about jobs, see About jobs and job management in this manual.

Click Export to export the results. You can select to output to CSV, raw events, XML, or JSON and specify the number of results to export.

Click Print to send the results to a printer that has been configured.

Additionally, use the Close button next to Save as menu to cancel the search and return to Splunk Home.

Search actions

Enter your email address, and someone from the documentation team will respond to you:

Send me a copy of this feedback

Please provide your comments here. Ask a question or make a suggestion.

Feedback submitted, thanks!

You must be logged into splunk.com in order to post comments.
Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic.
If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk,
consider posting a question to Splunkbase Answers.

0
out of 1000 Characters

Your Comment Has Been Posted Above

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website.
Learn more (including how to update your settings) here »